Web applications are integral parts of many enterprise applications. While they provide a convenient mechanism for organizations to render their services in a customer convenient manner, they are often the targets for abuse. Effects of such abuses can often be devastating and costly to recover from. Hence, all non-trivial web applications should be developed, tested, selected, evaluated, bought, deployed and operated with sufficient security controls.
This advanced training on web application security distinguishes threats, vulnerabilities and attacks. Each threat, vulnerability and attack is looked at in detail and countermeasures are identified. Some topics are highlighted for their increased relevance or the need for greater explanation.
At the end of the training, participants will be able to
- Audit and evaluate the security of web applications.
- Identify the degree to which a given web application should be secured.
- Recommend security improvement areas of a given web application.
- Classify, list and describe the known threats, vulnerabilities, attacks and countermeasures as applicable for web applications.
- Implement web applications with high security (Applicable for developers).
- Deploy and administrate web applications with tight security controls (Applicable for deployers and administrators).
- Web application security auditing and technical evaluation staff
- Information system threat modelers
- Web application developers
- Web application deployment staff
- Administrators of web based systems
- Participants should have the general understanding of the World Wide Web and the Internet.
- Though not necessarily required, prior knowledge on HTML and HTTP will be an advantage.
- Though not necessarily required, prior experience in writing web applications will be an advantage.
- Though not necessarily required, prior familiarity with auditing and evaluating information systems will be an advantage.
3 days (~24 hours)
Kamal Wickramanayake (Profile)
- The training is done with hands-on lab exercises where participants will test, evaluate and correct a number of threat, vulnerability and attack scenarios as applicable to web applications.
- While there will be many topics related to web application development, participants should not consider this training an opportunity to learn how to write web applications in general. This training specifically focuses on the security.
- What is taught during the training is applicable for web applications implemented in any programming language or platform. However, only to demonstrate many of the web application vulnerabilities, code snippets implemented in PHP language will be used. PHP is an easily understood scripting language and is in wide used. If requested, Java code (JSP/Servlet or even Struts/Tiles and JSF) can alternatively be used if the participants are familiar with those technologies.
- The landscape of web application security
- The need for specifically dealing with the security of web applications
- Terminology (threats, vulnerabilities, attacks, countermeasures)
- Threat classification
- Details of many (10+) known threats and countermeasures (not listed for brevity)
- Vulnerability classification
- Details of many (20+) known vulnerabilities and countermeasures (not listed for brevity)
- Attack classification
- Details of many (10+) known attacks and countermeasures (not listed for brevity)
- Effectiveness of phishing and pharming countermeasures
- Threat of search engines
- Security challenges of Web services
- AJAX and other rich interface technologies
- User visible design flaws
- Secure coding principles
- Evaluating firewalls
- Contracting for secure software
- In-house and outsourced software development
- Many freely available purpose built and ad hoc tools will be introduced to automate testing and improve efficiency.